express-js
Safeguard articles tagged "express-js" — guides, analysis, and best practices for software supply chain and application security.
5 articles
Broken access control in Express: the OWASP #1 risk, fixed with middleware
Broken access control now shows up in 100% of tested applications, per OWASP's 2025 Top 10 — up from 94% in 2021. Here's how to close it in Express.
Comparing Node.js frameworks for security: Express, Fastify, NestJS
Express, Fastify, and NestJS compared on real CVE history, default security posture, and dependency risk — plus how to close the gaps framework choice alone can't.
Preventing broken access control in Express.js applications
Express.js ships with no built-in authorization layer, making broken access control easy to introduce and hard to catch with pattern-based scanners.
Express.js open redirect vulnerability (CVE-2024-29041)
CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.
Express.js Security Middleware: An Audit
Express remains the default Node.js framework at most shops, and its middleware ecosystem is a thirteen-year accumulation of packages, some abandoned, some indispensable. This is a pragmatic audit of what belongs in a 2023 Express stack.